trust but verify why and how to establish trust in
play

Trust but verify: Why and how to establish trust in embedded - PowerPoint PPT Presentation

Dec 16, 2022 •264 likes •649 views

Trust but verify: Why and how to establish trust in embedded devices Aurlien Francillon This talk Introduction Economic aspects Why make secure products? Trust in embedded devices Verifying trust Conclusion Aurlien

  1. Trust but verify: Why and how to establish trust in embedded devices Aurélien Francillon

  2. This talk • Introduction • Economic aspects • Why make secure products? • Trust in embedded devices • Verifying trust • Conclusion Aurélien Francillon / Eurecom 2 Mar 17, 2016

  3. Introduction • This talk: a “consequence” of about 10 years of working on the security of embedded systems software • Practical approach • Attacking systems • Analysing systems (real products) • Developing new security mechanisms to make software more secure • Unfortunately • A lot of this “systems security” knowledge is not public • Why is it so often so bad ? Aurélien Francillon / Eurecom 3 Mar 17, 2016

  4. Problems found in a large scale analysis • Analysed ~30000 Firmware images • Hard-coded passwords, SSL keys… • SSL private keys which are used by 40,000 IP on the internet... • Same vulnerabilities across difgerent products • Code sharing, Vulnerability sharing • Several hundreds of vulnerable fjrmware images… tens of CVEs • Web analysis: Many basic problems Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces A. Costin, , A. Zarras, A. Francillon AsiaCCS 2016 A Large Scale Analysis of the Security of Embedded Firmwares A. Costin, J. Zaddach, A. Francillon, D. Balzarotti, Usenix Security 2014

  5. Security for the 99% • There are some very secure devices • Smartcards, HSMs, ... • Not fmawless but with a reasonable level of security • This is “1%” of the devices Aurélien Francillon / Eurecom 5 Mar 17, 2016

  6. Security for the 99% • There are some very secure devices • Smartcards, HSMs, ... • Not fmawless but with a reasonable level of security • This is “1%” of the devices • The remaining 99% is not • Soho equipment • Computers peripherals • (Some) Industrial systems, etc. • Security for the 99% ? Aurélien Francillon / Eurecom 6 Mar 17, 2016

  7. An economic problem • Intuitively security requires an extra efgort • Costs money • Customers may not want to pay for it A bit more complicated… • Anderson / Schneier “economics of security” • Security an externality: • Manufacturer often not responsible for operating the device • No direct loss in case of breach • So “why bother with security” Aurélien Francillon / Eurecom 7 Mar 17, 2016

  8. Market for Lemons or silver bullets? • Markets with asymmetric information • Market for Lemons: Used car market (Akerlof) • When selling a product seller knows more, buyer less • This drives down the average price of an used car • Security products: Both seller and buyer lack information (Grigg) • Spafgord: how to test a unicorn detection device? • Market for silver bullets • Security products v.s. Product security • Product security is a lemons' market Aurélien Francillon / Eurecom 8 Mar 17, 2016

  9. Motivations for trust/security on Manufacturers' side Security considered when: • There are active attacks on asset to protect • Conditional access for Pay TV • Actual goal is to resist to the attacks • Must not fail • E.g., critical military system • No need to be profjtable • Regulations, standards, certifjcations to pass • ID documents, payment processing • Actual goal is to get the certifjcation • For the 99% ? Aurélien Francillon / Eurecom 9 Mar 17, 2016

  10. Economically speaking: Security or not? • In the short term, probably no... • Time to market, Cost • Users wants features Schneier: “Any smart software vendor will talk big about security, but do as little as possible, because that's what makes the most economic sense.” • In the long term • A big problem • Maintenance, legacy, users defjance • Costs can be higher than the initial development • Life Cycle (How long will the manufacturer support it?) Aurélien Francillon / Eurecom 10 Mar 17, 2016

  11. Transparency v.s. security • Kerckhofgs 2nd design principle: • “... It should not require secrecy, and it should not be a problem if it falls into enemy hands” • Often interpreted as: • “if the system is not open and does not receive public scrutiny then it is not secure” • Or ”Security by obscurity is bad” • A wrong interpretation • Hiding the system details is actually making attacks much harder • Many more factors • However, this has other bad efgects... Aurélien Francillon / Eurecom 11 Mar 17, 2016

  12. Small digression... • One day I was given old scope for free to play at home... • It worked 5 minutes and then the Magic Smoke escaped... Aurélien Francillon / Eurecom 12 Mar 17, 2016

  13. Small digression... Tektronix 2445 Service manual 330 pages

  14. Aurélien Francillon / Eurecom 14 Mar 17, 2016

  18. In the “good old days”... • Before there was documentation for: • Mini computers, • Apple II • Today datasheets often not available, even for: • Raspberry PI • Intel Edison • Any secure device Aurélien Francillon / Eurecom 18 Mar 17, 2016

  19. Trust and transparency • To trust something we need to • Blindly trust? • Verify it, inspect it? • Asymmetric market • Manufacturer knows • Customer cannot evaluate security • Lack of transparency damages market of secure devices, users cannot: • Educate themselves • Learn about security • Evaluate security • Compare devices • How could they want to pay more for security? Aurélien Francillon / Eurecom 19 Mar 17, 2016

  20. Lack of transparency • Basic security measures often make them less transparent • Makes third party audit very hard • But does not mean the device is secure… • Secrecy leads to suspicion • What is the device doing with my data? • Trying to hide a poor level of security? • Something nasty to hide? Aurélien Francillon / Eurecom 20 Mar 17, 2016

  21. From an actual smartphone chip • Dumped a bootloader in Mask ROM • No FBI, it's not an iPhone! Aurélien Francillon / Eurecom 21 Mar 17, 2016

  22. Security or lock out • Who is in control of the device • Your Manufacturer? • Your government, another one? • Trusted Computing as “Treacherous Computing” (R. Stallman) • Users should eventually be in control Aurélien Francillon / Eurecom 22 Mar 17, 2016

  23. Design problem We need systems to be designed for: • User Trust • Letting the choice to the user, owner of the device to which software is running on the device • Let the user know which software it is running • Security Analysis • We need to be able to independently inspect those systems Aurélien Francillon / Eurecom 23 Mar 17, 2016

  24. Design for User Trust • To trust the systems, users needs to: • Know what is running • Chose what can be running • Be in control • Be able to verify • Currently there are devices which • We can control, but have zero security (e.g., unlocking android) • Are secure but under the control of someone else (iPhone) Aurélien Francillon / Eurecom 24 Mar 17, 2016

  25. Design for User Trust: examples • My new laptop • Has an UEFI Firmware • Loaded with my own keys • Secure boot, only code I signed • Joanna Rutkowska proposal of a state- less laptop • Without R/W memories • All fjrmware loaded from an external, trusted, device Aurélien Francillon / Eurecom 25 Mar 17, 2016

  26. Design for Security Testing • When do we really need to be able to analyse embedded devices? • Each fjrmware version Detect vulnerabilities • Each independent device Shipped with bad FW • Regularly Check for compromise • Exceptionally Forensics • Need for independent analysis • Requires some access to the device (DFUT) • But not reducing the security of the device… Authenticate users? Aurélien Francillon / Eurecom 26 Mar 17, 2016

  27. Design for Security Testing • Currently fjrst security measures in an embedded system makes it harder to test: • Locking JTAG • Encrypt/Sign code • Testing embedded systems is diffjcult We developed a tool for security testing • Avatar http://s3.eurecom.fr/tools/avatar/ Aurélien Francillon / Eurecom 27 Mar 17, 2016

  28. In Summary • We need more transparency • Datasheets! • Access to debug ports! • Not because it makes devices more secure but it makes: • Auditable • Trustworthy • Forensics possible • We need mechanisms that • Put users in control • Do not introduce new vulnerabilities • Are easy to integrate in products Aurélien Francillon / Eurecom 28 Mar 17, 2016

  29. Questions?

  30. Backup slides

  31. Liability • Schneier argues for liability • Did not happen… will it one day? • Probably in some regulated / life threatening markets? • Toyota sudden unintended acceleration • 9 Million cars recalled • 37 deaths alleged • Will this occur for the 99%? • I guess not Aurélien Francillon / Eurecom 31 Mar 17, 2016

  32. Hard disk drive security • A disk Drive runs a fjrmware • with its own OS • Can be updated • Could be compromised • what would be the consequences ? • The required efgort • To discover it we did it • Took a disk and reverse engineered it • designed a backdoor • So yes, feasible but diffjcult, but a few days later... Implementation and Implications of a Stealth Hard-Drive Backdoor J. Zaddach, A. Kurmus, D. Balzarotti, E. Blass, A. Francillon, T. Goodspeed, M. Gupta, I. Koltsidas, best student paper award, ACSAC 2013,

  35. IRATEMONK (12/2013)

Recommend

Trust But Verify Trust But Verify Trust But Verify Trust But Verify What Is CEC Entertainment?

Trust But Verify Trust But Verify Trust But Verify Trust But Verify What Is CEC Entertainment?

Trust But Verify Trust But Verify Trust But Verify Trust But Verify What Is CEC Entertainment? CEC Entertainment, Irving TX Founded by Nolan Bushnell Revenue What Is CEC Entertainment? What Is CEC Entertainment? What Is CEC Entertainment?

305 views • 19 slides
Trust but verify Distinguishing distrust from vigilance via Mark L oczy

Trust but verify Distinguishing distrust from vigilance via Mark L oczy

Trust but verify Distinguishing distrust from vigilance via Mark L oczy Livia.Markoczy@ucr.edu The A. Gary Anderson Graduate School of Management University of California, Riverside Trust but verify p.1/31 The problem Trust but

654 views • 31 slides
Trust, but Verify: An Improved Estimating Technique Using the Integrated Master Schedule (IMS)

Trust, but Verify: An Improved Estimating Technique Using the Integrated Master Schedule (IMS)

Trust, but verify is a form of advice given which recommends that while a source of information might be considered reliable, one should perform additional research to verify that such information is accurate, or trustworthy. The original

437 views • 32 slides
FT Consultation An NHS Foundation Trust The Trust is applying to become an NHS Foundation Trust

FT Consultation An NHS Foundation Trust The Trust is applying to become an NHS Foundation Trust

FT Consultation An NHS Foundation Trust The Trust is applying to become an NHS Foundation Trust Your Local Mental Health NHS Trust Implementation of Involvement Agenda National accreditation for Memory Service Team (Bloxwich Hospital)

763 views • 14 slides
PGP web of trust Web of trust From:

PGP web of trust Web of trust From:

PGP web of trust Web of trust From: h2p://pgp.cs.uu.nl/plot/ The PGP web of trust can be viewed as a directed graph where the points are

558 views • 10 slides
Trust, but Verify: What the Digital and Transparency Revolutions in Social Science Mean

Trust, but Verify: What the Digital and Transparency Revolutions in Social Science Mean

8/2/2015 University of Chicago Peking University Summer Institute on International Relations Theory and Methods (Beijing, August 2015) Trust, but Verify: What the Digital and Transparency Revolutions in Social Science Mean for You

333 views • 16 slides
NSF Activities in Cyber Trust NSF Activities in Cyber Trust NSF Activities in Cyber Trust For

NSF Activities in Cyber Trust NSF Activities in Cyber Trust NSF Activities in Cyber Trust For

NSF Activities in Cyber Trust NSF Activities in Cyber Trust NSF Activities in Cyber Trust For ACM CCS I ndustry/ Govt Track Oct. 26, 2004 Carl Landwehr ( clandweh@nsf.gov ) Cyber Trust Coordinator National Science Foundation What s the

439 views • 17 slides
Charter of Trust on Cybersecurity charter-of-trust.com | #Charter of Trust Digitalization

Charter of Trust on Cybersecurity charter-of-trust.com | #Charter of Trust Digitalization

Charter of Trust on Cybersecurity charter-of-trust.com | #Charter of Trust Digitalization creates opportunities and risks Page 2 And its common truth We cant expect people to actively support the digital transformation if we cannot

499 views • 11 slides
The Economics of Trust in Organisations Trust Trust is the voluntary acceptance of vulnerability

The Economics of Trust in Organisations Trust Trust is the voluntary acceptance of vulnerability

The Economics of Trust in Organisations Trust Trust is the voluntary acceptance of vulnerability based upon positive expectations of the intention or behaviour of another. Key components of TRUST include (1) the recognition of vulnerability

471 views • 13 slides
Gods stories Gods stories Trust Trust To Rely Upon Something Totally Trust trust:

Gods stories Gods stories Trust Trust To Rely Upon Something Totally Trust trust:

Gods stories Gods stories Trust Trust To Rely Upon Something Totally Trust trust: confidence in, or an assured reliance on, the character, integrity, ability, strength, or truth of someone or something faith: Confidence or

784 views • 33 slides
Trust rust What is Trust? A Definition Trust is a phenomenon of reliance on the good intentions

Trust rust What is Trust? A Definition Trust is a phenomenon of reliance on the good intentions

Trust rust What is Trust? A Definition Trust is a phenomenon of reliance on the good intentions and/or adequate competences of others in situations characterized by dependence, vulnerability and risk.* *Luhmann (1968), Baier (1986, 1992),

573 views • 7 slides
Dynamics, robustness and fragility Private trust Public trust of trust Conclusions Dusko

Dynamics, robustness and fragility Private trust Public trust of trust Conclusions Dusko

Dynamics of trust Dusko Pavlovic Introduction Dynamics, robustness and fragility Private trust Public trust of trust Conclusions Dusko Pavlovic Kestrel Institute and Oxford University FAST Malaga, October 2008 Dynamics of trust

596 views • 46 slides
Its all about trust(s) Its all about trust(s) Housekeeping We want you to have a great

Its all about trust(s) Its all about trust(s) Housekeeping We want you to have a great

Its all about trust(s) Its all about trust(s) Housekeeping We want you to have a great experience, so: If youre having any sound or viewing issues during the live webinar, please contact the GoToWebinar support team using the link

945 views • 68 slides
Building trust with consumers is foundation to the kind of engagement were seeking for Precision

Building trust with consumers is foundation to the kind of engagement were seeking for Precision

Building trust with consumers is foundation to the kind of engagement were seeking for Precision Health. The adoption and adherence to a set of universal principles called Fair Information Practices, or FIPs, will help establish that trust.

385 views • 14 slides
ENLIGHTENED NEGOTIATION Dr. Mehrad Nazari, MBA The Law of Trust Trust is the foundation of

ENLIGHTENED NEGOTIATION Dr. Mehrad Nazari, MBA The Law of Trust Trust is the foundation of

ENLIGHTENED NEGOTIATION Dr. Mehrad Nazari, MBA The Law of Trust Trust is the foundation of any relationship, collaboration, and negotiation Trust is the congruity of words and actions Trust is a moral credit rating; it is the

466 views • 15 slides
Islands Trust Council September 15, 2011 The Islands Trust Trust Council 26 elected

Islands Trust Council September 15, 2011 The Islands Trust Trust Council 26 elected

Islands Trust Council September 15, 2011 The Islands Trust Trust Council 26 elected representatives of island communities The Islands Trust Act To preserve and protect the unique amenities and environment of this area for:

354 views • 31 slides
Trust Speak Overview with dialogue all along the way: Definition of trust Three

Trust Speak Overview with dialogue all along the way: Definition of trust Three

Trust Speak Overview with dialogue all along the way: Definition of trust Three roads to trust: 1. Personal: one-on-one 2. Strategy: confidence in what we are doing 3. Process: how things are done Four principles

529 views • 4 slides
@richardfagerlin I DONT Jim TRUST Larry Gayle THEM 2 | T R U S T O L O G Y

@richardfagerlin I DONT Jim TRUST Larry Gayle THEM 2 | T R U S T O L O G Y

@richardfagerlin I DONT Jim TRUST Larry Gayle THEM 2 | T R U S T O L O G Y IMPACT HIGH TRUST LOW TRUST OF TRUST 3 | T R U S T O L O G Y People at high-trust companies report: LOW 74% less stress

402 views • 19 slides
Using Digital Certificates to Establish Federated Trust chris.brown@enspier.com U.S.

Using Digital Certificates to Establish Federated Trust chris.brown@enspier.com U.S.

Using Digital Certificates to Establish Federated Trust chris.brown@enspier.com U.S. E-Authentication Interoperability Lab Engineer Agenda U.S. Federal E-Authentication Background Current State of PKI in E-Authentication Future of

675 views • 52 slides
Session 1 The New Codex Trust Fund Purpose of the Codex Trust Fund? The Codex Trust Fund supports

Session 1 The New Codex Trust Fund Purpose of the Codex Trust Fund? The Codex Trust Fund supports

Session 1 The New Codex Trust Fund Purpose of the Codex Trust Fund? The Codex Trust Fund supports countries to build strong, solid and sustainable national capacity to engage in Codex Scope and focus of support from the Codex Trust Fund Well

679 views • 37 slides
Fi First Q Quar arter U r Update from t the e Co Common onweal ealths A Attor orney

Fi First Q Quar arter U r Update from t the e Co Common onweal ealths A Attor orney

Fi First Q Quar arter U r Update from t the e Co Common onweal ealths A Attor orney Goa Goals ESTABLISH AND MAINTAIN ESTABLISH TRUST AND BEGIN FULFILLING TRUST AND RAPPORT WITH CAMPAIGN PROMISES PROFESSIONALISM IN THE

528 views • 15 slides
Castle Trust Innovative loans with no monthly payments required 1 Who are Castle Trust? Castle

Castle Trust Innovative loans with no monthly payments required 1 Who are Castle Trust? Castle

Scott Apps Business Development Manager Castle Trust Intermediary use only Castle Trust Innovative loans with no monthly payments required 1 Who are Castle Trust? Castle Trust was launched in October 2012 by an experienced team of senior

152 views • 11 slides
Charter of Trust on Cybersecurity charter-of-trust.com | #Charter of Trust Digitalization

Charter of Trust on Cybersecurity charter-of-trust.com | #Charter of Trust Digitalization

Charter of Trust on Cybersecurity charter-of-trust.com | #Charter of Trust Digitalization creates opportunities and risks Page 2 April 2019 Digitalization creates Opportunities Connected Facilities/Plant/Site Billions of devices are

407 views • 12 slides
Public Trust Trustee 1.1 Public Trust Who we are Crown Entity Public Trust is one

Public Trust Trustee 1.1 Public Trust Who we are Crown Entity Public Trust is one

Public Trust Trustee 1.1 Public Trust Who we are Crown Entity Public Trust is one of the largest trustee organisations in New Zealand Operational independence Governance model Corporate Trustee Services (CTS)

694 views • 9 slides

More recommend